Web Skimming
Online shopping has become much more popular during the Coronavirus outbreak. Which also means that hackers are finding new ways to get their hands on people’s payment information on these online shopping websites. They mainly use a type of attack called web skimming. Web skimming is used by attackers to steal credit card details from the payment pages of online stores. They do this by injecting pieces of code into the source code of the website. This code then collects data that website users put in, such as account logins, but also credit card details. The collected data is then sent on to a third party address that’s owned by the attackers. Attackers often register domains that look like popular web analytics services, such as Google Analytics, to hide the fact that a website has been compromised.
New Technique
Researchers at Kaspersky have now stated that they have discovered a new technique that is being used by hackers. Data is no longer sent to these third party sources, but they are redirected to actual Google Analytics accounts. The researchers said that they have “identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account.” This technique is used to steal credit card numbers, user agents, IP addresses, passwords. Anything that the hackers can get their hands on. “[T]he script collects everything anyone inputs on the site (as well as information about the user who entered the data: IP address, User Agent, time zone). The collected data is encrypted and sent using the Google Analytics Measurement Protocol.”
How do They do It?
First of all, hackers need to be able to exploit a website. Which means that a website needs to have weak protection for a hacker to be able to gain control. Once they do manage to get in, the attacker will upload code that steals information that users put in on the website. This new strategy is very difficult to detect. The attackers add their own Google Analytics code into the website, allowing them to collect data about the visitors of the website. This data is then sent directly to the Google Analytics account.
Analytics Services
The problem is that it is difficult for a website administrator to realize that the website has been compromised. Victoria Vlasova, a senior malware analyst at Kaspersky, explained that Google Analytics is one of the most used analytics services and well trusted by all its users. “As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is ok,” she said.
Security
One way to see whether your website has been hacked is to check whether there is more than one Google Analytics code on your site. You would notice if your code was completely replaced, because then you would no longer see any reports on the traffic on your analytics page. Another thing that the hackers are doing to make it more difficult to detect an attack is that attackers are hiding their code when a browser is in developer mode. Attackers probably assume that the person who maintains the website will be checking the site’s code in developer mode. So make sure to check it out of developer mode as well. Google has been notified about the situation, and hopefully they can come up with a solution to this issue. In the meantime, Kaspersky experts recommend that website developers use a reliable security solution to avoid this issue. Your security needs to be able to detect and block malicious scrips from being run on your website.
Content Security Policy
Security headers are one way to secure a website. They protect a site against cross site scripting and script injection. One of these headers is a Content Security Policy (CSP) header. This header determines which domains are trusted for downloading scripts. So they would usually keep hackers out. The issue is that there is a flaw in the CSP header. Google Analytics is specified as a trusted source of scripts. Which means that the hackers can bypass the content security protocols, since they are using their own Google Analytics code. Sadly, CSP cannot do anything about this.
